WordPress Security

Welcome to the WordPress security article. In this article we are going to be covering how to help keep your WordPress install safe and how to help minimize the possibility of your website being breached. Because WordPress is a very popular website application, assailants are always attempting to find weaknesses inside of the code that will allow them access to the core administrator features. When a WordPress site is breached, it is normally because of one of the following:

To Create a Public/Hidden Phishing Site

To be used as an Email Spam Source

To Deface your Site

To steal Member Details (emails, encrypted passwords, etc.)

Now onto the good part, how we can help prevent security breaches.

Update!

WordPress releases updates all the time. A large majority of them have security fixes in addition to the standard feature upgrades. It is VERY important that you update your WordPress as soon as possible when a new version is available. Also something to keep in mind, WordPress announces the security holes that they patched when new updates go out. Because of this, a large number of people have access to the information required to breach the older versions of WordPress. Always be on the lookout for the update notice that appears on the home-screen of the admin dashboard.

For more detailed information about how and why to update WordPress, please click here.

Good Passwords

Another method assailant’s use when attempting to breach your WordPress install is password cracking. We go into more detail about what this is in the Password article of this series. Password cracking at its simplest form is attempting a large number of passwords trying to find the correct one. One of the best methods to use to help prevent this type of attack is to use strong passwords. For more information about passwords, please click here.

Extra Password

Some hosts (including us) allow you to use server based authentication to help reduce the possibility of breaching your password through cracking. This works by having 2 login prompts. Once login uses htaccess, while the other is the standard WordPress login. You must enter your htaccess credentials before you even see the WordPress login form.

There are also plugins that will help you do this directly from the WordPress admin dashboard. We a link to one later in this article.

Directory Index

A good way we can help protect our files is to disable directory indexing. This makes it so that when people try to access just a folder they do not see the files inside of the folder. However, please keep in mind that they can still access them if they know what the full file path is.

Themes

Almost all of us use themes for our WordPress site; it allows us to customize the way our site looks and feels. However, something to keep in mind is that themes can also have security holes from bad code. It is important to use a theme that has been done by a professional/experienced person that knows how to code securely. It’s also important to update your theme if a new version has been released, just like WordPress updates.

Plugins

Plugins help us by adding features to WordPress that we may need for a website or project. Like themes, it is very possible that plugins have security holes. Here are a few tips when picking your plugins.

Active Plugins

Never use a plugin that has not been updated in a reasonable amount of time. This could be an indication that the developer may not be providing security updates, and in turn, could open potential security risks for your site.

Trusted Sources

We recommend only using plugins that have been vetted by the WordPress community. Don’t install plugins that have low reviews or bad comments. This could be a sign that the plugin developer does not have a full understanding of good coding habits and/or security.

Databases

If you run multiple WordPress sites, it is highly recommended that you use different databases (and database users) for each one. This will help prevent all of your sites from being compromised if someone was able to access your database login credentials.

Table Prefix

Avoid using the default wp_ database table prefix. It will help prevent pre-written attacks that rely on the default table prefix. This can be changed during the WordPress install process or by changing your database layout and configuration file. F

Backup!

In this day and age, it’s always a good idea to keep regular backups of your site. While we maintain backups here at Site5, it’s also a good idea to run backups yourself as an extra layer of protection.

SSL/HTTPS

We cover this topic in more detail inside of our passwords article, but it’s worth noting a few things here. HTTPS encrypts traffic sent to and from the server making it difficult for assailants to intercept your data. If you have a popular website, it is a good idea to purchase a SSL certificate and have it installed on your account to help prevent the possibility of someone snatching your private data (like passwords) out of the air. For more information, please see our Password article here.

Logs

You should be checking your logs from time to time to see if there are a lot of requests being made where they shouldn’t For example, if someone has visited the WordPress login page over 1000 times in the past few minutes, it’s a good indication that someone is trying to crack your password. You can now take the IP from the visitor and block it to help slow them down. There are plugins out there that can do this for you automatically saving you time and headaches.

For more information on how to access the logs and what you are looking for, please click here.

sFTP

When possible, try to use sFTP rather than FTP when uploading or chanting your files. This will secure the traffic and help prevent assailants from intercepting the files you are uploading.

Recommended Plugins In this section, we will cover plugins that may be helpful for keeping your WordPress site secure. Please note: We do not offer support (in terms of questions or issues) for these plugins, nor can we guarantee their security. Use them at your own risk.

Bulletproof Security

This plugins takes a lot of the grunt work out of htaccess files. It allows you to add passwords, block non-public folders and much more.